Hot on the tail of California Attorney General Rob Bonta’s announcement of an investigative sweep targeting streamlining services (see our blog post here), Connecticut’s Office of the Attorney General (“OAG”) is making headlines with its recent report covering its preliminary enforcement actions under the Connecticut Data Privacy Act (“CTDPA”). We’ve previously covered Colorado and California enforcement activity here.
The CTDPA went into effect on July 1, 2023, and mandated that the OAG prepare a report, no later than February 1, 2024, outlining: (1) The number of notices of violation the OAG has issued; (2) the nature of each violation; (3) the number of violations that were cured during the 60-day cure period; and (4) any other matter the OAG deems relevant (the “Report”). With the release of the Report, we see a glimpse of how the OAG handles consumer complaints, potential enforcement priorities and even legislative recommendations.
In the six months since the CTDPA went into effect, the OAG issued over a dozen “cure notices” to companies regarding alleged violations of the CTDPA and a number of broader information requests. As reflected in the Report and by its enforcement activity, the OAG appears to share similar concerns as the California AG with respect to the collection and use of sensitive data (such as biometrics and children’s/teens’ data) and a focus on digital advertising practices. Additional information regarding key California Consumer Privacy Act enforcement actions is available here. The following is a summary of the key aspects of the Report:
Since the CTDPA went into effect, the OAG has received over 30 consumer complaints. Of those complaints, the majority related to a consumer’s ability to exercise their rights, with a specific focus on requests to delete. Upon investigation, one-third of those complaints related to companies subject to entity-level exceptions or to data that was either exempt or did not meet the CTDPA’s definition of “personal data.”
- The report emphasizes the importance of consumer complaints as “even a single consumer complaint could ultimately lead us down a path to enforcement.”
- Companies should focus on responding to consumer rights requests adequately to avoid consumers submitting complaints to the OAG.
The OAG reviewed companies’ privacy policies across numerous industries and tested functionality of consumer rights request mechanisms.
- Lacking disclosures (e.g., failure to incorporate notice of consumer rights under the CTDPA);
- Inadequate disclosures (e.g., failure to sufficiently inform Connecticut residents about their rights under the law or how Connecticut residents may appeal denials);
- Confusing disclosures (e.g., statements creating an impression that consumers may be charged for rights requests as a default, as opposed to only for manifestly unfounded, excessive or repetitive requests);
- Lacking rights mechanisms (e.g., failure to include a clear and conspicuous link to a webpage enabling consumers to opt out of the targeted advertising or sale of their data);
- Burdensome rights mechanisms (e.g., rights mechanisms that did not take into account the ways consumers normally interact with the company); and
- Broken/ inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).
Anything that is consumer-facing should be considered under immediate scrutiny by the OAG. Companies should prioritize updating their privacy policies, mechanisms for obtaining consent or submitting consumer rights requests, hyperlinks and other privacy disclosures.
The OAG described several examples of inquiry letters and cure notices sent to various companies that collected sensitive data (biometric data, precise geolocation, etc.). Companies were identified through news media reports, consumer complaints, company press releases, industry group reports and notices from data breach incidents. While the details of the letters/notices were not provided, the communications largely appear to request information regarding sensitive data practices including data collection and sharing, and overall compliance with CTDPA.
- The collection and use of sensitive data is a key area of concern for the OAG.
- While not expressly stated in the report, obtaining appropriate consent for the collection and use of sensitive data is likely key. The CTDPA has stringent and specific consent requirements, so companies need to be sure they understand those requirements and address them accordingly.
- Teens’ data and digital advertising practices are garnering attention.
- The OAG is watching advocacy groups’ activities to identify enforcement opportunities.
The OAG has expressed concern for the practices of the digital marketing landscape. In a specific example, a consumer submitted a complaint after they received an advertisement for cremation services after they completed chemotherapy. After a brief investigation, the OAG sent a cure notice to the cremation company and has begun investigating a data broker in connection to the complaint.
The digital advertising space continues to be highly scrutinized.
The OAG outlined the following legislative changes which, in their view, would “strengthen and clarify privacy protections”:
- Remove entity-level exemptions for non-profits and companies regulated by federal privacy laws such as GLBA, HIPPA, FCRA, etc.
- Introduce a “one-stop-shop” data deletion mechanism like the mechanism created by California’s Delete Act for data brokers.
- Add “Right to Know – Specific Third Parties” such as the privacy laws in Oregon (offers the right to know specific third parties who receive personal data) or Delaware (offers right to know the categories of third parties to which the controller has disclosed that specific consumer’s personal data). The OAG mentioned the importance of Connecticut residents having the ability to track their data downstream to specific third-party recipients so they can exercise their rights under the CTDPA. Expand definition of “Biometric Data” so that it is not limited to data that is actually “used” to identify a specific individual but instead covers all biometric data that is “capable” of such use.
- Clarify/correct drafting errors that cause confusion with respect to protections for teens’ data and the definition of “Publicly Available Information.”
- As drafted today, the CTDPA appears to provide an absolute prohibition of targeting advertising to teens regardless of consent, but conversely allows the sale of teens’ data if consent is obtained. The OAG appears to request clarity regarding whether consent can be obtained to target advertising to teens.
- With respect to the definition of “Publicly Available Information,” today the definition reads “information that (A) is lawfully made available through … government records or widely distributed media, and (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.” The OAG believes that the inclusion of the “and” was a scrivener’s error and that the legislature may have intended to include the word “or”, which would align with the definitions in other state privacy laws.
With Connecticut and California bringing enforcement top of mind for many companies, we prepared the below list of upcoming enforcement dates and sunset deadlines for rights to cure for omnibus privacy laws that go into effect this year:
|Right to Cure
|Florida SB 262
|July 1, 2024
|45-Day Notice and Cure Provision will remain in effect indefinitely.
|Texas Data Privacy and Security Act
|July 1, 2024
|30-Day Notice and Cure Provision will remain in effect indefinitely.
|Oregon Consumer Privacy Act
|July 1, 2024
|30-Day Notice and Cure Provision will remain in effect until January 1, 2026.
|Montana Consumer Data Privacy Act
|October 1, 2024
|60-Day Notice and Cure Provision will remain in effect until April 1, 2026.
The Privacy World team will continue to monitor the developing privacy law landscape to keep you in the loop.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.